Software Verification and System Assurance
|
|
- Melina Dinah Baldwin
- 8 years ago
- Views:
Transcription
1 Software Verification and System Assurance John Rushby Based on joint work with Bev Littlewood (City University UK) Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Verification & Assurance 1
2 Introduction Verification was the original goal of formal methods Proving correctness of programs Nowadays, overtaken by more pragmatic goals Generating test cases, synthesizing monitors, bug finding Verifying limited properties: static analysis, extended type checking Also, the whole idea of verification has come into question Proving the absence of errors is an overly strong claim Lots of caveats about assumptions, fidelity of models etc. Plus, software is usually only part of a larger system And it s the system we care about John Rushby, SR I Verification & Assurance 2
3 Software Correctness vs. System Claims The top-level requirements for most complex systems are stated quantitatively E.g., no catastrophic failure in the lifetime of all airplanes of one type And these lead to probabilistic requirements for software-intensive subsystems E.g., probability of failure in flight control less than 10 9 per hour But formal methods in general And formal verification in particular Are about correctness... an absolute notion How do we connect the absolute claims of formal verification for software with probabilistic requirements at the system level? John Rushby, SR I Verification & Assurance 3
4 Software Reliability Software contributes to system failures through faults in its requirements, design, implementation bugs A bug that leads to failure is certain to do so whenever it is encountered in similar circumstances There s nothing probabilistic about it Aaah, but the circumstances of the system are a stochastic process So there is a probability of encountering the circumstances that activate the bug Hence, probabilistic statements about software reliability or failure are perfectly reasonable Typically speak of probability of failure on demand (pfd), or failure rate (per hour, say) John Rushby, SR I Verification & Assurance 4
5 Measuring/Predicting Software Reliability For pfds down to about 10 4, it is feasible to measure software reliability by statistically valid random testing But 10 9 would need 114,000 years on test So how do we establish that a piece of software is adequately reliable for a system that requires, say, 10 6? Most standards for system safety (e.g., IEC 61508, DO178B) require you to show that you did a lot of V&V e.g., 57 V&V objectives at DO178B Level C (10 5 ) And you have to do more for higher levels 65 objectives at DO178B Level B (10 7 ) 66 objectives at DO178B Level A (10 9 ) John Rushby, SR I Verification & Assurance 5
6 Does More Correct Mean More Reliable? These V&V objectives are all about correctness Requirements tracing, testing etc. More V&V objectives might make the software more correct but what does that have to do with reliability? And what does more correct mean anyway? John Rushby, SR I Verification & Assurance 6
7 Possibly Perfect Software Instead of correct software Which is about conformance with specification We ll speak of perfect software Software that will never experience a failure in operation, no matter how much operational exposure it has You might not believe a given piece of software is perfect But you might concede it has a possibility of being perfect And the more V&V it has had, the greater that possibility So let s speak of a probability of perfection Think of all the software that might have been developed by comparable engineering processes to solve the same design problem as the software at hand The probability of perfection is then the probability that any software randomly selected from this class is perfect John Rushby, SR I Verification & Assurance 7
8 Probabilities of Perfection and Failure Probability of perfection relates to correctness-based V&V And it also relates to reliability: By the formula for total probability P(s/w fails [on a randomly selected demand]) (1) = P(s/w fails s/w perfect) P(s/w perfect) + P(s/w fails s/w imperfect) P(s/w imperfect). The first term in this sum is zero, because the software does not fail if it is perfect Can then, very conservatively, assume that the software always fails if it imperfect, so that the first factor in the second term becomes 1 Hence, very crudely, and very conservatively, P(software fails) < P(software imperfect) (2) John Rushby, SR I Verification & Assurance 8
9 Two Channel Systems Many safety-critical systems have two (or more) diverse channels E.g., nuclear shutdown, flight control One operational channel does the business A simpler channel provides a backup or monitor Cannot simply multiply the pfds of the two channels to get pfd for the system Failures are unlikely to be independent Failure of one channel suggests this is a difficult case, so failure of the other is more likely Infeasible to measure amount of dependence John Rushby, SR I Verification & Assurance 9
10 Two Channel Systems and Possible Perfection But if the second channel is possibly perfect Its imperfection is conditionally independent of failures in the first channel Hence, system pfd is conservatively bounded by product of pfd of first channel and probability of imperfection of the second Joint work with Bev Littlewood (reported elsewhere) Who originated the idea of possible perfection May provide justification for some of the architectures suggested in ARP 4754 e.g., 10 9 system made of Level C operational channel and Level A monitor John Rushby, SR I Verification & Assurance 10
11 Aside: Monitors Do Fail Fuel emergency on Airbus A , G-VATL, 8 February 2005 Type 1 failure EFIS Reboot during spin recovery on Airbus A300 (American Airlines Flight 903), 12 May 1997 Type 2 failure Current proposals are for formally synthesized/verified monitors for properties in the safety case John Rushby, SR I Verification & Assurance 11
12 Aleatory and Epistemic Uncertainty Aleatory or irreducible uncertainty is uncertainty in the world e.g., if I have a biased coin with P(heads) = p h, I cannot predict exactly how many heads will occur in 100 trials because of randomness in the world Frequentist interpretation of probability needed here Epistemic or reducible uncertainty is uncertainty about the world e.g., if I give you the biased coin, you will not know p h ; you can estimate it, and can try to improve your estimate by doing experiments, learning something about its manufacture, the historical record of similar coins etc. Frequentist and subjective interpretations OK here John Rushby, SR I Verification & Assurance 12
13 Aleatory and Epistemic Uncertainty in Models In much scientific modeling, the aleatory uncertainty is captured conditionally in a model with parameters And the epistemic uncertainty centers upon the values of these parameters As in the coin tossing example Analysis in (1) was aleatory, with parameters p np probability the software is imperfect p fnp probability that it fails, if it is imperfect P(software fails) < p fnp p np John Rushby, SR I Verification & Assurance 13
14 Epistemic Estimation To apply this result, we need to assess values for p fnp and p np These are most likely subjective probabilities i.e., degrees of belief Beliefs may not be independent So will be represented by some joint distribution F(p fnp, p np ) Probability of system failure will be given by the Riemann-Stieltjes integral p fnp p np df(p fnp, p np ). (3) 0 p fnp 1 0 pnp 1 If beliefs can be separated F factorizes as F(p fnp ) F(p np ) And (3) becomes P fnp P np Where these are the means of the posterior distributions representing the assessor s beliefs about the two parameters John Rushby, SR I Verification & Assurance 14
15 Formal Verification and the Probability of Perfection We want to assess P np Context is likely a safety case in which claims about a system are justified by an argument based on evidence about the system and its development Suppose part of the evidence is formal verification i.e., what is the probability of perfection of formally verified software? Let s consider where formal verification can go wrong John Rushby, SR I Verification & Assurance 15
16 The Basic Requirements For The Software Are Wrong This error is made before any formalization It seems to be the dominant source of errors in flight software But monitoring and backup software is built to requirements taken directly from the safety case If these are wrong, we have big problems In any case, it s not specific to formal verification So we ll discount this concern John Rushby, SR I Verification & Assurance 16
17 The Requirements etc. are Formalized Incorrectly Could also be the assumptions, or the design Formalization may be inconsistent i.e., meaningless Many Z specs are like this Can be eliminated using constructive specifications In a tool-supported framework That guarantees conservative extension But that s not always appropriate Prefer to state assumptions as axioms Consistency can then be guaranteed by exhibiting a constructive model (interpretation) PVS can do this So we can eliminate this concern John Rushby, SR I Verification & Assurance 17
18 The Requirements etc. are Formalized Incorrectly (ctd.) Formalization may be consistent, but wrong In my experience, this is the dominant source of errors in formal verification There are papers on errors in my specifications Formal specifications that have not been subjected to analysis are no more likely to be correct than programs that have never been run In fact, less so: engineers have better intuitions about programs than specifications Should challenge formal specifications Prove putative theorems Get counterexamples for deliberately false conjectures Directly execute them on test cases Social process operates on widely used theories John Rushby, SR I Verification & Assurance 18
19 The Requirements etc. are Formalized Incorrectly (ctd. 2) Even if a theory or specification is formalized incorrectly, it does not necessarily invalidate all theorems that use it Only if the verification actually exploits the incorrectness will the validity of the theorem be in doubt Even then, it could still be true, but unproven Some verification systems identify all the axioms and definitions on which a formally verified conclusion depends PVS does this If these are correct, then logical validity of the verified conclusion follows by soundness of the verification system So can apply special scrutiny to them John Rushby, SR I Verification & Assurance 19
20 The Formal Specification and Verification is Discontinuous or Incomplete Discontinuities arise when several analysis tools are applied in the same specification e.g., static analyzer, model checker, timing analyzer Concern is that different tools ascribe different semantics Increasing issue as specialized tools outstrip monolithic ones Need integrating frameworks such as a tool bus Most significant incompleteness is generally the gap between the most detailed model and the real thing Algorithms vs. code, libraries, OS calls That s one reason why we still need testing Driven from the formal specification Cf. penetration tests for secure systems: probe the assumptions John Rushby, SR I Verification & Assurance 20
21 Unsoundness In the Verification System All verification systems have had soundness bugs But none have been exploited to prove a false theorem Many efforts to guarantee soundness are costly e.g., reduction to elementary steps, proof objects What does soundness matter if you cannot do the proof? A better approach is KOT: the Kernel Of Truth (Shankar) A ladder of increasingly powerful verified checkers Untrusted prover leaves a trail, blessed by verified checker More powerful checkers guaranteed by one-time check of its verification by the one above The more powerful the verified checker, the more economical the trail can be (little more than hints) John Rushby, SR I Verification & Assurance 21
22 KOT: A Ladder of Verified Checkers Untrusted Frontline Verifier Hints Verified Offline Verifier Certificates Verified Checker Proofs Trusted Proof Kernel Shankar and Marc Vaucher have verified a modern SAT solver that is executable (modulo lacunae in the PVS evaluator) John Rushby, SR I Verification & Assurance 22
23 Application Suppose we need P np of 10 4 Bulk of this budget should be divided between incorrect formalization and incompleteness of the formal analysis, with small fraction allocated to unsoundness of verification system Through sufficiently careful and comprehensive formal challenges, it is plausible an assessor can assign a subjective posterior probability of imperfection on the order of 10 4 to the formal statements on which a formal verification depends Through testing and other scrutiny, a similar figure can be assigned to the probability of imperfection due to discontinuities and incompleteness in the formal analysis By use of a verification system with a trusted or verified kernel, or trusted, verified, or diverse checkers, assessor can assign probability of 10 5 or smaller that the theorem prover incorrectly verified the theorems that attest to perfection John Rushby, SR I Verification & Assurance 23
24 Discussion These numbers are feasible and plausible Formal methods and their tools do not need to be held to (much) higher standards than the systems they assure But what are we to do about single channel systems that require 10 9? Type 2 failures of monitors (incorrect activation) may be in this class Topic for investigation and discussion whether such assessments could be considered feasible and credible John Rushby, SR I Verification & Assurance 24
25 Conclusion Probability of perfection is a radical and valuable idea Provides the bridge between correctness-based verification activities and probabilistic claims needed at the system level Relieves formal verification, and its tools, of the burden of absolute perfection John Rushby, SR I Verification & Assurance 25
What Is Assurance? John Rushby Based on joint work with Bev Littlewood (City University UK)
What Is Assurance? John Rushby Based on joint work with Bev Littlewood (City University UK) Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I What Is Assurance? 1 A Conundrum
More informationNew Challenges In Certification For Aircraft Software
New Challenges In Certification For Aircraft Software John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Aircraft Software Certification 1 Overview The basics
More informationIntroduction to Static Analysis for Assurance
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis?
More informationLectures for Marktoberdorf 2010 Summer School Software and Systems Safety: Specification and Verification
Lectures for Marktoberdorf 2010 Summer School Software and Systems Safety: Specification and Verification Formal Methods And Argument-based Safety Cases John Rushby Computer Science Laboratory SRI International
More informationSoftware Verification/Validation Methods and Tools... or Practical Formal Methods
Software Verification/Validation Methods and Tools... or Practical Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Practical Formal Methods: 1
More informationAutomated Theorem Proving - summary of lecture 1
Automated Theorem Proving - summary of lecture 1 1 Introduction Automated Theorem Proving (ATP) deals with the development of computer programs that show that some statement is a logical consequence of
More informationQuestion: What is the probability that a five-card poker hand contains a flush, that is, five cards of the same suit?
ECS20 Discrete Mathematics Quarter: Spring 2007 Instructor: John Steinberger Assistant: Sophie Engle (prepared by Sophie Engle) Homework 8 Hints Due Wednesday June 6 th 2007 Section 6.1 #16 What is the
More informationSoftware Active Online Monitoring Under. Anticipatory Semantics
Software Active Online Monitoring Under Anticipatory Semantics Changzhi Zhao, Wei Dong, Ji Wang, Zhichang Qi National Laboratory for Parallel and Distributed Processing P.R.China 7/21/2009 Overview Software
More informationRigorous Methods for Software Engineering (F21RS1) High Integrity Software Development
Rigorous Methods for Software Engineering (F21RS1) High Integrity Software Development Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University
More informationReview. Bayesianism and Reliability. Today s Class
Review Bayesianism and Reliability Models and Simulations in Philosophy April 14th, 2014 Last Class: Difference between individual and social epistemology Why simulations are particularly useful for social
More informationCompositional Security Evaluation: The MILS approach
Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong,
More informationIntroduction to. Hypothesis Testing CHAPTER LEARNING OBJECTIVES. 1 Identify the four steps of hypothesis testing.
Introduction to Hypothesis Testing CHAPTER 8 LEARNING OBJECTIVES After reading this chapter, you should be able to: 1 Identify the four steps of hypothesis testing. 2 Define null hypothesis, alternative
More informationThe Road from Software Testing to Theorem Proving
The Road from Software Testing to Theorem Proving A Short Compendium of my Favorite Software Verification Techniques Frédéric Painchaud DRDC Valcartier / Robustness and Software Analysis Group December
More informationTheorem (informal statement): There are no extendible methods in David Chalmers s sense unless P = NP.
Theorem (informal statement): There are no extendible methods in David Chalmers s sense unless P = NP. Explication: In his paper, The Singularity: A philosophical analysis, David Chalmers defines an extendible
More informationStatic Program Transformations for Efficient Software Model Checking
Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major
More informationLecture 8 The Subjective Theory of Betting on Theories
Lecture 8 The Subjective Theory of Betting on Theories Patrick Maher Philosophy 517 Spring 2007 Introduction The subjective theory of probability holds that the laws of probability are laws that rational
More informationWhen Betting Odds and Credences Come Apart: More Worries for Dutch Book Arguments
When Betting Odds and Credences Come Apart: More Worries for Dutch Book Arguments Darren BRADLEY and Hannes LEITGEB If an agent believes that the probability of E being true is 1/2, should she accept a
More informationMTH6120 Further Topics in Mathematical Finance Lesson 2
MTH6120 Further Topics in Mathematical Finance Lesson 2 Contents 1.2.3 Non-constant interest rates....................... 15 1.3 Arbitrage and Black-Scholes Theory....................... 16 1.3.1 Informal
More informationThe MILS Component Integration Approach To Secure Information Sharing
The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar
More informationarxiv:1112.0829v1 [math.pr] 5 Dec 2011
How Not to Win a Million Dollars: A Counterexample to a Conjecture of L. Breiman Thomas P. Hayes arxiv:1112.0829v1 [math.pr] 5 Dec 2011 Abstract Consider a gambling game in which we are allowed to repeatedly
More informationIndiana State Core Curriculum Standards updated 2009 Algebra I
Indiana State Core Curriculum Standards updated 2009 Algebra I Strand Description Boardworks High School Algebra presentations Operations With Real Numbers Linear Equations and A1.1 Students simplify and
More informationA Few Basics of Probability
A Few Basics of Probability Philosophy 57 Spring, 2004 1 Introduction This handout distinguishes between inductive and deductive logic, and then introduces probability, a concept essential to the study
More informationSoftware testing. Objectives
Software testing cmsc435-1 Objectives To discuss the distinctions between validation testing and defect testing To describe the principles of system and component testing To describe strategies for generating
More informationTHE FUNDAMENTAL THEOREM OF ARBITRAGE PRICING
THE FUNDAMENTAL THEOREM OF ARBITRAGE PRICING 1. Introduction The Black-Scholes theory, which is the main subject of this course and its sequel, is based on the Efficient Market Hypothesis, that arbitrages
More informationPascal is here expressing a kind of skepticism about the ability of human reason to deliver an answer to this question.
Pascal s wager So far we have discussed a number of arguments for or against the existence of God. In the reading for today, Pascal asks not Does God exist? but Should we believe in God? What is distinctive
More informationCertification of a Scade 6 compiler
Certification of a Scade 6 compiler F-X Fornari Esterel Technologies 1 Introduction Topic : What does mean developping a certified software? In particular, using embedded sofware development rules! What
More informationUsing game-theoretic probability for probability judgment. Glenn Shafer
Workshop on Game-Theoretic Probability and Related Topics Tokyo University February 28, 2008 Using game-theoretic probability for probability judgment Glenn Shafer For 170 years, people have asked whether
More informationSystem-on-Chip Design Verification: Challenges and State-of-the-art
System-on-Chip Design Verification: Challenges and State-of-the-art Prof. Sofiène Tahar Hardware Verification Group Concordia University Montréal, QC, CANADA MCSOC 12 Aizu-Wakamatsu, Fukushima, Japan September
More informationIterated Dynamic Belief Revision. Sonja Smets, University of Groningen. website: http://www.vub.ac.be/clwf/ss
LSE-Groningen Workshop I 1 Iterated Dynamic Belief Revision Sonja Smets, University of Groningen website: http://www.vub.ac.be/clwf/ss Joint work with Alexandru Baltag, COMLAB, Oxford University LSE-Groningen
More informationRevised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)
Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.
More informationEconomics 1011a: Intermediate Microeconomics
Lecture 12: More Uncertainty Economics 1011a: Intermediate Microeconomics Lecture 12: More on Uncertainty Thursday, October 23, 2008 Last class we introduced choice under uncertainty. Today we will explore
More information1 Introduction to Option Pricing
ESTM 60202: Financial Mathematics Alex Himonas 03 Lecture Notes 1 October 7, 2009 1 Introduction to Option Pricing We begin by defining the needed finance terms. Stock is a certificate of ownership of
More informationThe Trip Scheduling Problem
The Trip Scheduling Problem Claudia Archetti Department of Quantitative Methods, University of Brescia Contrada Santa Chiara 50, 25122 Brescia, Italy Martin Savelsbergh School of Industrial and Systems
More informationSpecification and Analysis of Contracts Lecture 1 Introduction
Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.
More informationDiscrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2
CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2 Proofs Intuitively, the concept of proof should already be familiar We all like to assert things, and few of us
More informationThe Role of Dispute Settlement Procedures in International Trade Agreements: Online Appendix
The Role of Dispute Settlement Procedures in International Trade Agreements: Online Appendix Giovanni Maggi Yale University, NBER and CEPR Robert W. Staiger Stanford University and NBER November 2010 1.
More informationor conventional implicature [1]. If the implication is only pragmatic, explicating logical truth, and, thus, also consequence and inconsistency.
44 ANALYSIS explicating logical truth, and, thus, also consequence and inconsistency. Let C1 and C2 be distinct moral codes formulated in English. Let C1 contain a norm N and C2 its negation. The moral
More informationWHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?
WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly
More informationFactoring & Primality
Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount
More information54 Robinson 3 THE DIFFICULTIES OF VALIDATION
SIMULATION MODEL VERIFICATION AND VALIDATION: INCREASING THE USERS CONFIDENCE Stewart Robinson Operations and Information Management Group Aston Business School Aston University Birmingham, B4 7ET, UNITED
More informationLoad Balancing and Switch Scheduling
EE384Y Project Final Report Load Balancing and Switch Scheduling Xiangheng Liu Department of Electrical Engineering Stanford University, Stanford CA 94305 Email: liuxh@systems.stanford.edu Abstract Load
More informationVDM vs. Programming Language Extensions or their Integration
VDM vs. Programming Language Extensions or their Integration Alexander A. Koptelov and Alexander K. Petrenko Institute for System Programming of Russian Academy of Sciences (ISPRAS), B. Communisticheskaya,
More informationDoes rationality consist in responding correctly to reasons? John Broome Journal of Moral Philosophy, 4 (2007), pp. 349 74.
Does rationality consist in responding correctly to reasons? John Broome Journal of Moral Philosophy, 4 (2007), pp. 349 74. 1. Rationality and responding to reasons Some philosophers think that rationality
More informationRange A Pilot Study by Michael A. Levi by Gabrielle Petron et al. Accepted for publication in Journal of Geophysical Research Atmospheres
Reply to Reply to Comment on Hydrocarbon emissions characterization in the Colorado Front Range A Pilot Study by Michael A. Levi by Gabrielle Petron et al. Accepted for publication in Journal of Geophysical
More informationThe Classes P and NP
The Classes P and NP We now shift gears slightly and restrict our attention to the examination of two families of problems which are very important to computer scientists. These families constitute the
More informationHomework until Test #2
MATH31: Number Theory Homework until Test # Philipp BRAUN Section 3.1 page 43, 1. It has been conjectured that there are infinitely many primes of the form n. Exhibit five such primes. Solution. Five such
More informationSILs and Software. Introduction. The SIL concept. Problems with SIL. Unpicking the SIL concept
SILs and Software PG Bishop Adelard and Centre for Software Reliability, City University Introduction The SIL (safety integrity level) concept was introduced in the HSE (Health and Safety Executive) PES
More informationSECTION 10-2 Mathematical Induction
73 0 Sequences and Series 6. Approximate e 0. using the first five terms of the series. Compare this approximation with your calculator evaluation of e 0.. 6. Approximate e 0.5 using the first five terms
More informationHardware safety integrity Guideline
Hardware safety integrity Comments on this report are gratefully received by Johan Hedberg at SP Swedish National Testing and Research Institute mailto:johan.hedberg@sp.se Quoting of this report is allowed
More informationAMS 5 CHANCE VARIABILITY
AMS 5 CHANCE VARIABILITY The Law of Averages When tossing a fair coin the chances of tails and heads are the same: 50% and 50%. So if the coin is tossed a large number of times, the number of heads and
More informationSoftware Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University
Software Engineering Introduction & Background Department of Computer Science Kent State University Complaints Software production is often done by amateurs Software development is done by tinkering or
More informationCritical Systems Validation. Objectives
Critical Systems Validation Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 24 Slide 1 Objectives To explain how system reliability can be measured and how reliability growth models can
More informationIntroducing Formal Methods. Software Engineering and Formal Methods
Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended
More informationA Second Course in Mathematics Concepts for Elementary Teachers: Theory, Problems, and Solutions
A Second Course in Mathematics Concepts for Elementary Teachers: Theory, Problems, and Solutions Marcel B. Finan Arkansas Tech University c All Rights Reserved First Draft February 8, 2006 1 Contents 25
More informationData Model Bugs. Ivan Bocić and Tevfik Bultan
Data Model Bugs Ivan Bocić and Tevfik Bultan Department of Computer Science University of California, Santa Barbara, USA bo@cs.ucsb.edu bultan@cs.ucsb.edu Abstract. In today s internet-centric world, web
More informationWald s Identity. by Jeffery Hein. Dartmouth College, Math 100
Wald s Identity by Jeffery Hein Dartmouth College, Math 100 1. Introduction Given random variables X 1, X 2, X 3,... with common finite mean and a stopping rule τ which may depend upon the given sequence,
More information3. Mathematical Induction
3. MATHEMATICAL INDUCTION 83 3. Mathematical Induction 3.1. First Principle of Mathematical Induction. Let P (n) be a predicate with domain of discourse (over) the natural numbers N = {0, 1,,...}. If (1)
More informationElementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.
Elementary Number Theory and Methods of Proof CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.edu/~cse215 1 Number theory Properties: 2 Properties of integers (whole
More informationTotal Cost of Care and Resource Use Frequently Asked Questions (FAQ)
Total Cost of Care and Resource Use Frequently Asked Questions (FAQ) Contact Email: TCOCMeasurement@HealthPartners.com for questions. Contents Attribution Benchmarks Billed vs. Paid Licensing Missing Data
More informationAPPENDIX N. Data Validation Using Data Descriptors
APPENDIX N Data Validation Using Data Descriptors Data validation is often defined by six data descriptors: 1) reports to decision maker 2) documentation 3) data sources 4) analytical method and detection
More informationSelecting Sensors for Safety Instrumented Systems per IEC 61511 (ISA 84.00.01 2004)
Selecting Sensors for Safety Instrumented Systems per IEC 61511 (ISA 84.00.01 2004) Dale Perry Worldwide Pressure Marketing Manager Emerson Process Management Rosemount Division Chanhassen, MN 55317 USA
More informationSoftware safety: relating software assurance and software integrity. Ibrahim Habli*, Richard Hawkins and Tim Kelly
364 Int. J. Critical Computer-Based Systems, Vol. 1, No. 4, 2010 Software safety: relating software assurance and software integrity Ibrahim Habli*, Richard Hawkins and Tim Kelly High Integrity Systems
More informationPhil 420: Metaphysics Spring 2008. [Handout 4] Hilary Putnam: Why There Isn t A Ready-Made World
1 Putnam s Main Theses: 1. There is no ready-made world. Phil 420: Metaphysics Spring 2008 [Handout 4] Hilary Putnam: Why There Isn t A Ready-Made World * [A ready-made world]: The world itself has to
More informationBayesian Analysis for the Social Sciences
Bayesian Analysis for the Social Sciences Simon Jackman Stanford University http://jackman.stanford.edu/bass November 9, 2012 Simon Jackman (Stanford) Bayesian Analysis for the Social Sciences November
More informationApproaches to Improve System Dependability From Formal Verification to Model-Based Testing
Approaches to Improve System Dependability From Formal Verification to Model-Based Testing Andreas Ulrich, Peter Amthor, Marlon Vieira Siemens AG, Corporate Technology, CT SE/SCR andreas.ulrich@siemens.com
More information6 Hedging Using Futures
ECG590I Asset Pricing. Lecture 6: Hedging Using Futures 1 6 Hedging Using Futures 6.1 Types of hedges using futures Two types of hedge: short and long. ECG590I Asset Pricing. Lecture 6: Hedging Using Futures
More informationTesting Hypotheses About Proportions
Chapter 11 Testing Hypotheses About Proportions Hypothesis testing method: uses data from a sample to judge whether or not a statement about a population may be true. Steps in Any Hypothesis Test 1. Determine
More informationDiscrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 13. Random Variables: Distribution and Expectation
CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 3 Random Variables: Distribution and Expectation Random Variables Question: The homeworks of 20 students are collected
More informationSAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE. Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.
SAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.com DIGITAL FLIGHT / SOLUTIONS Presentation Outline DO-178 Overview
More informationNP-Completeness and Cook s Theorem
NP-Completeness and Cook s Theorem Lecture notes for COM3412 Logic and Computation 15th January 2002 1 NP decision problems The decision problem D L for a formal language L Σ is the computational task:
More informationChoice under Uncertainty
Choice under Uncertainty Part 1: Expected Utility Function, Attitudes towards Risk, Demand for Insurance Slide 1 Choice under Uncertainty We ll analyze the underlying assumptions of expected utility theory
More informationFundamental Principles of Software Safety Assurance
Fundamental Principles of Software Safety Assurance Tim Kelly tim.kelly@york.ac.uk Context Lack of agreement in the details of requirements of software safety assurance standards has long been recognised
More informationIntroduction to Software Paradigms & Procedural Programming Paradigm
Introduction & Procedural Programming Sample Courseware Introduction to Software Paradigms & Procedural Programming Paradigm This Lesson introduces main terminology to be used in the whole course. Thus,
More informationApril 2006. Comment Letter. Discussion Paper: Measurement Bases for Financial Accounting Measurement on Initial Recognition
April 2006 Comment Letter Discussion Paper: Measurement Bases for Financial Accounting Measurement on Initial Recognition The Austrian Financial Reporting and Auditing Committee (AFRAC) is the privately
More informationDedekind s forgotten axiom and why we should teach it (and why we shouldn t teach mathematical induction in our calculus classes)
Dedekind s forgotten axiom and why we should teach it (and why we shouldn t teach mathematical induction in our calculus classes) by Jim Propp (UMass Lowell) March 14, 2010 1 / 29 Completeness Three common
More informationBasic Fundamentals Of Safety Instrumented Systems
September 2005 DVC6000 SIS Training Course 1 Basic Fundamentals Of Safety Instrumented Systems Overview Definitions of basic terms Basics of safety and layers of protection Basics of Safety Instrumented
More informationFormal Methods in Security Protocols Analysis
Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte Big
More informationVetting Smart Instruments for the Nuclear Industry
TS Lockhart, Director of Engineering Moore Industries-International, Inc. Vetting Smart Instruments for the Nuclear Industry Moore Industries-International, Inc. is a world leader in the design and manufacture
More informationInfinitely Repeated Games with Discounting Ù
Infinitely Repeated Games with Discounting Page 1 Infinitely Repeated Games with Discounting Ù Introduction 1 Discounting the future 2 Interpreting the discount factor 3 The average discounted payoff 4
More informationChapter 7. Sealed-bid Auctions
Chapter 7 Sealed-bid Auctions An auction is a procedure used for selling and buying items by offering them up for bid. Auctions are often used to sell objects that have a variable price (for example oil)
More informationProcedia Computer Science 00 (2012) 1 21. Trieu Minh Nhut Le, Jinli Cao, and Zhen He. trieule@sgu.edu.vn, j.cao@latrobe.edu.au, z.he@latrobe.edu.
Procedia Computer Science 00 (2012) 1 21 Procedia Computer Science Top-k best probability queries and semantics ranking properties on probabilistic databases Trieu Minh Nhut Le, Jinli Cao, and Zhen He
More informationOHJ-2306 Introduction to Theoretical Computer Science, Fall 2012 8.11.2012
276 The P vs. NP problem is a major unsolved problem in computer science It is one of the seven Millennium Prize Problems selected by the Clay Mathematics Institute to carry a $ 1,000,000 prize for the
More informationF-22 Raptor. Agenda. 1. Motivation
Model-Based Software Development and Automated Code Generation for Safety-Critical Systems F-22 Raptor for the Seminar Advanced Topics in Software Engineering for Safety-Critical Systems Cause: Bug in
More informationdef: An axiom is a statement that is assumed to be true, or in the case of a mathematical system, is used to specify the system.
Section 1.5 Methods of Proof 1.5.1 1.5 METHODS OF PROOF Some forms of argument ( valid ) never lead from correct statements to an incorrect. Some other forms of argument ( fallacies ) can lead from true
More informationA Simple Model of Price Dispersion *
Federal Reserve Bank of Dallas Globalization and Monetary Policy Institute Working Paper No. 112 http://www.dallasfed.org/assets/documents/institute/wpapers/2012/0112.pdf A Simple Model of Price Dispersion
More informationApplications of formal verification for secure Cloud environments at CEA LIST
Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,... SEC2, Lille, June 30 th, 2015 N. Kosmatov (CEA LIST) Formal
More informationTHE INSURANCE BUSINESS (SOLVENCY) RULES 2015
THE INSURANCE BUSINESS (SOLVENCY) RULES 2015 Table of Contents Part 1 Introduction... 2 Part 2 Capital Adequacy... 4 Part 3 MCR... 7 Part 4 PCR... 10 Part 5 - Internal Model... 23 Part 6 Valuation... 34
More informationASSESSMENT OF THE ISO 26262 STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY
ASSESSMENT OF THE ISO 26262 STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY Dr. Qi Van Eikema Hommes SAE 2012 Government/Industry Meeting January 25, 2012 1 Outline ISO 26262 Overview Scope of the Assessment
More informationTetris is Hard: An Introduction to P vs NP
Tetris is Hard: An Introduction to P vs NP Based on Tetris is Hard, Even to Approximate in COCOON 2003 by Erik D. Demaine (MIT) Susan Hohenberger (JHU) David Liben-Nowell (Carleton) What s Your Problem?
More informationAutomated Program Behavior Analysis
Automated Program Behavior Analysis Stacy Prowell sprowell@cs.utk.edu March 2005 SQRL / SEI Motivation: Semantics Development: Most engineering designs are subjected to extensive analysis; software is
More informationCONTENTS OF DAY 2. II. Why Random Sampling is Important 9 A myth, an urban legend, and the real reason NOTES FOR SUMMER STATISTICS INSTITUTE COURSE
1 2 CONTENTS OF DAY 2 I. More Precise Definition of Simple Random Sample 3 Connection with independent random variables 3 Problems with small populations 8 II. Why Random Sampling is Important 9 A myth,
More information1 Signatures vs. MACs
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures
More informationMathematics Cognitive Domains Framework: TIMSS 2003 Developmental Project Fourth and Eighth Grades
Appendix A Mathematics Cognitive Domains Framework: TIMSS 2003 Developmental Project Fourth and Eighth Grades To respond correctly to TIMSS test items, students need to be familiar with the mathematics
More informationParameters for Efficient Software Certification
Parameters for Efficient Software Certification Roland Wolfig, e0327070@student.tuwien.ac.at Vienna University of Technology, Real-Time Systems Group 1 Abstract Software certification is a common approach
More informationNotes from February 11
Notes from February 11 Math 130 Course web site: www.courses.fas.harvard.edu/5811 Two lemmas Before proving the theorem which was stated at the end of class on February 8, we begin with two lemmas. The
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More information11 Ideals. 11.1 Revisiting Z
11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(
More informationPhilosophical argument
Michael Lacewing Philosophical argument At the heart of philosophy is philosophical argument. Arguments are different from assertions. Assertions are simply stated; arguments always involve giving reasons.
More informationSoftware Certification and Software Certificate Management Systems
Software Certification and Software Certificate Management Systems (Position Paper) Ewen Denney and Bernd Fischer USRA/RIACS, NASA Ames Research Center, Moffett Field, CA 94035, USA {edenney,fisch}@email.arc.nasa.gov
More informationRandomized algorithms
Randomized algorithms March 10, 2005 1 What are randomized algorithms? Algorithms which use random numbers to make decisions during the executions of the algorithm. Why would we want to do this?? Deterministic
More information